How has the approach to information security changed since the outbreak of COVID-19? In this Q&A, Troy La Huis, a principal in the Crowe Risk Consulting area, discusses how companies have shifted from a prevention-only mindset to prevention detection and response.
Financial Education & Research Foundation (FERF): Over the 2010s, how did thinking around information security change? And then from there, can you comment on how things have specifically changed since the outbreak of COVID-19?
Troy La Huis: Look back 20 years and you think about the threat actors, the sophistication of the threat actors, and the motivations of the threat actors. Not to say that they were not sophisticated – certainly they were, and certainly there’s a fraction of them that have always been highly sophisticated and highly motivated. But it was almost like a hobby, and there was not quite the target environment for threat actors that there is today. The thinking around information security going back 10 to 20 years was that it is important, but maybe not critical.
We’ve progressed over the past decade-plus and moved dramatically to cybersecurity being a highly critical area for any organization, because everything is driven by those threat actors. The threat actors have gotten more sophisticated, more numerous. The tools that they’re using are leaps and bounds beyond what we saw a decade ago, in part because they’re sharing information, they’re collaborating, there are higher stakes, there are nation-states, there are organized crime syndicates. All of that has raised the profile of cybersecurity within the business community, and then of course that has driven the criticality to any organization.
What we’re seeing then, of course, is more exposures affecting individuals. You can look back a handful of years, and you can see some corporations that have had breaches that have had an impact on, almost, half of the country. When you add that up, certainly it’s changed the mindset where, 10 years ago, organizations certainly had budgets and they were focused primarily on prevention. Prevention being: How do we stop these attacks from occurring? And if we can stop the attacks, if we can put this nice perimeter around the organization, that’s really sufficient. But of course, if you spend any time in the cybersecurity world these days, you hear the old adage “It’s not if, but when. It’s not when, but how often.”
Organizations have shifted from a prevention-only mindset to prevention detection and response, recognizing that even with the best prevention techniques, there’s always some way that a threat actor – especially nation-states, organized criminals, and seasoned threat actors – can exploit some vulnerability in your organization. You’ve got to shift that mindset from being singularly focused on prevention to inclusive of prevention detection and response. If you look at what’s happened just in the past handful of months, it’s absolutely taken that spotlight and magnified it. Organizations spent a fair amount of money putting together these cybersecurity programs. They got comfortable with where they were in comparison to the technologies being used and the methods that employees and consumers connected to these organizations. That changed very dramatically in March.
Now prevention, detection, and response has taken that spotlight, and I think it’s probably a good thing. Not to say that there was a waning necessarily in broad strokes, but I think we were getting a little bit numb to cybersecurity. I call it the psychology of cybersecurity, where if you’re seeing these messages popping up constantly, you get a little bit of that fatalist point of view that, well, it is going to happen, and I’m only going to do so much. We’ve kind of refocused on technology and security over the past handful of months. I think that’s a positive thing overall. The other thing that I think we’re seeing and we’re going to continue to see is, at the time that employees quickly moved to working from home, consumers and businesses also needed a way to communicate with each other different from the way they have traditionally.
And so now we’re seeing our consumer or customer preferences are also changing. They still desire the same services, but now of course they’re going to get them in different ways. And we have to think about the security aspects of those relationships as well. The difference is, employees are probably more patient. Some people may disagree that employees are patient when it comes to security; however, they’re more patient than consumers who say, I used to know exactly how to get this to happen. I want it to happen faster now because technology has enabled this, and I don’t want to have to jump through multiple security hoops to get what I need. So that’s going to be a challenge and I would say a good challenge for the cybersecurity community and for businesses in general. How do you improve that customer experience? And how does cybersecurity shift from a back-office function to something that’s really front and center in those relationships with the customers?
FERF: Could you go a little bit more into detail on the shift from back office to front office?
La Huis: We talk about it quite often, that cybersecurity or information security has historically been a push function. I think a lot of people have their certain impressions of what a cybersecurity person looks like and acts like. It’s often viewed as kind of an off-in-the-corner type of service that is more disruptive than helpful to many people. Oh, we’ve got to do this. I need to change my password. I can’t use a variant of the same password. Oh, now we’ve got multifactor authentication. Now I’ve got to get this text code. And there’s all these things that are being pushed for environments where cybersecurity is deemed as a necessary thing that we all have to align to, and it’s a one-way directive push. It’s not to say that those organizations can’t succeed in cybersecurity, but we need to shift as a business community to embracing cybersecurity throughout the enterprise and making sure that everybody understands their role in cybersecurity. There’s an exercise that we’re seeing organizations go through that allows you to identify by role what responsibilities people have and what exposure points they create for the organization when it comes to information security. With that knowledge, you can then embed policies and procedures and create awareness at the role or responsibility level rather than trying to create some blanket procedures or blanket policies or one-size-fits-all training.
That level of embedding cybersecurity at the source is proving to decrease the exposure that’s typically created at the end point or at the user point. I could probably talk a little bit more about that in different variants. That’s the heart of extending cybersecurity outside of the technology aspect and really making it a part of the overall culture of the organization.
If you look at the statistics, the breaches that occurred over the past few years, more than 70% of those breaches started with some form of a phishing exercise – phishing being the social engineering that you send an email, or there’s a phone call that somebody reveals their credentials or something that’s critical to the security organization. And that’s typically how threat actors enter the organization. If you focus entirely on cybersecurity as a technology solution, you’re going to miss that significant vulnerability point, not to mention your third parties and the vulnerabilities that they create.
FERF: You’ve mentioned the importance of reinforcing some of these good practices. How has the rapid increase in remote work changed or really stressed companies’ information security?
La Huis: I think to start with, one has to recognize that in December of last year, cybersecurity departments within any organization were understaffed and overworked to begin with. The statistics will tell you that we are at a 2 million-plus shortage of cybersecurity workers in this country. And we may not solve for that for a long time. Cybersecurity programs have budgets just like everybody else. Now, all of a sudden, you’ve thrown this crisis in front of them.
What we’re seeing looking back is that they made an immediate pause on certain activities, whether they were planned investments, transformations, or even – in some unfortunate cases – day-to-day activities. The cyber hygiene of an organization – things like monitoring for incidents, monitoring for indicators of compromise, standard patching – these types of things were put on the back burner, as were planning and testing and training. These are all things that are still critical but are certainly less critical than making sure that the 50% of our workforce that immediately became mobile has the right technology and making sure that we can connect them properly and making sure that that connection is secure and then making sure that they’re operating in a secure fashion.
You asked me earlier about moving the function of the responsibility of cybersecurity from the information group to the larger population. Now that population that we depend upon to be our first line of defense is under their own set of stresses, right? They’re working in a completely different environment, albeit at their home environment. There’s a whole range of things that are going on at that home right now that they didn’t deal with before. They were also accustomed to certain protocols or procedures when they’re in the office on things that they could do and they couldn’t do. People could authorize certain activities by having a conversation or seeing them face to face. Now that’s all different. And so how did people adjust to all of that? You’re seeing not only did organizations have to put in the technology to enable the workforce to continue, they had to put on a layer of security to that, which is obvious.
But then, in some cases, you had to reevaluate your policies and procedures for almost everything, including, and most importantly, cybersecurity to make sure that when we were foregoing certain texts in the process, there was a security measure that was maybe additionally in place.
I said a lot of things there, but if I were to summarize what happened and what’s happening right now, because most cybersecurity functions do not have the luxury of extra time or extra budget, you now find yourself in a trade-off situation where what they were doing or what they were planning in some cases had to be paused in order for them to divert their resources to handling this other – this mobility – change.
We’re also in this interesting space right now that many organizations, if you go back to March, thought they were putting temporary measures in place. While they were securing the devices and securing changing policies and procedures, a lot of people did this with the mindset that this would be temporary. So maybe we don’t need to get the Cadillac version of whatever we’re doing, because we’re going to roll this back in a few months and all these laptops are going to be put on a shelf or this VPN [virtual private network].
Maybe we don’t need to test everything about it because we’re going to roll this back. It’s not going to be quite as extensive as numerous other things. Well, here we are now, and the organizations that we’re working with are saying, “Well, maybe this is going to go in some flavor until January and beyond,” right? I don’t have precise statistics on this, but I would say that at least 50% of the organizations that we’re working with are saying that a majority of their workforce that they moved to mobile will probably stay mobile indefinitely. Now you’re faced with asking, Did I make the right decisions, or do I have to pivot once again to hardening this a little bit further, to make it robust enough to withstand the long haul?
I think it’s exciting in some regards for cybersecurity professionals to be in the center of all this and to really be responsible for making sure that the organization’s secure in pivoting in alignment with the rapid change of decisions that are going on with organizations. Yet at the same time, those individuals were doing something important and effective with their jobs before this. And now we’re still in that trade-off situation. And probably more so as we hit the next budget cycle, because in the next budget cycle, you’re probably going to see a reduction in budgets for most organizations across the board, and cybersecurity typically is not spared from that.
FERF: What are the things that finance teams need to be mindful of with regard to evaluating the impact these investments have had on the company’s information security?
La Huis: There are maybe a few of different ways to look at that.
From a financial standpoint, as we were just talking about, some of these things were put in place with the idea that it would be temporary – that the life cycle of some of these changes and the way that you can treat those financially would be abbreviated. But now of course, some of these are going to be throwaway. Some of these investments are just in order for us to make a one-time pivot or change within the organization, and we’re not going to see a long-term return on some of those things. In other cases, they would have set the foundation for greater investment or greater expansion.
It was inevitable and not in the sense that we had a crisis of that sort, but the transformation that it caused was going to happen over time regardless. Of course, I don’t think anybody anticipated the acceleration of the change to be a matter of weeks or months.
For many organizations, there was some flavor of this probably on a road map somewhere, or part of their digital transformation in their long- term strategy, both from the customer perspective as well as their employees’ perspective. These investments were probably being contemplated, but again, the velocity of the change did not allow most organizations to say that they’re getting their finest and best solutions in place for this. As a result of that, I do think that some of this is going to be written off as a function of the time and not necessarily as a permanent investment. There are things that are happening right now for organizations that they are being thrust into this, but they are making very quick and, I would say, well-aligned solutions to their strategy. So, these investments will pay off in the long run.
What’s historically been a problem with cybersecurity is the lack of ability to truly measure or to quantify the risk of cybersecurity in financial terms. It’s an issue that’s now sort of being solved for if you pay attention, and I know a lot of CFOs are probably aware of this, maybe not as many in the financial space, but there are tools that have been coming into the market for the past 12 months labeled with this risk quantification tool. And they’re really impressive in their ability to identify and predict or project the loss that would be incurred as a result of certain types of cybersecurity events.
What that further allows them to do is measure the return on investment against that forecast and loss. For example, you’re an organization of a moderate size, moderate complexity, and you have certain scenarios that could expose the organization to moderate to high risk that might create an exposure of $5 million to $10 million of any one of these threat scenarios. With that knowledge and the right tooling, you can then measure the investments of putting in multifactor authentication or improving your endpoint detection.
When cybersecurity professionals ask for half a million dollars, the question is, well, what is this going to get me? Well now you can actually measure that half a million dollars and say, “OK, well, our projected losses for the next 12 months under these certain events would be – let’s just pick a number – $7.5 million.” Well, this half a million dollar investment could lower that projected loss from $7.5 million to $6 million.
Right now, we have something to work with to understand if that half a million dollars is better spent here or in some other part of the organization. There’s a minimum level of controls that need to be in place with the organization, but strengthening those controls is now an easier conversation to have financially with some of these tools.
There are a few different ways to look at that, and the good news is that there are increased tools and modeling available to the financial community to be able to make some of these more informed decisions.
FERF: Over the past few years, there’s been an increase in academic literature and in terms that they use for the dark side of digital transformation. Would they identify issues, new risks, from some of these emerging technologies? From your perspective and from your understanding, how do some of these emerging technologies change the risk equation?
La Huis: If the risk equation is the battle between good and evil, the battle between the threat actors and the good guys, then I think it’s going to show up on both sides of the equation. And here’s why. I think there are a few primary technologies or methods that people are utilizing on both sides in this cyber war – RPA [robotic process automation], artificial intelligence [AI], big data – that are not necessarily a technology, but a utilization that uses technology.
What you’re seeing is on the good side, it’s difficult to look at a new technology that’s come about in the past two years without them advertising some flavor of artificial intelligence being embedded, whether it’s next-generation firewalls, SIEM [security information and event management] tools, or even some antivirus and endpoint detection. All of these tools we have, and these technology vendors have access to a lot more, and they’re aggregating the information that they’re gathering from their customers in a way that allows them to apply artificial intelligence machine learning to be able to make faster decisions, and in cybersecurity speed is everything.
The ability to be able to identify something’s happening and shut it down immediately is one of the biggest advantages of using AI machine learning and all of this, and removing the RPA part comes in a little bit, removing the need for humans to be a part of that process. Unfortunately, threat actors – their sophistication is amazing. And I don’t say that in awe necessarily, but I say that to really drive home the point that it’s not just the nation-states that have abundant resources.
What I mentioned earlier is true, that they’re collaborating much the way that we collaborate in the business world, to create more powerful tools that they use. And they’re embedding the same technologies – AI and machine learning – into those technologies as well. It’s definitely a cat-and-mouse game where everybody has access to some degree to the same level of technology. And it’s who’s going to be able to make the most of that. I would say that even though I’m talking about how sophisticated these threat actors are, there’s reason to be very optimistic with the way that we’re utilizing technology and the new forms of technology that are coming out for the good guys to use. There’s an abundance of people that are thinking about how to use these tools. And I think we’re going to see further and further automation, and that’s going to allow us to shrink the time to detect an incident that’s occurring, and that’s probably one of the biggest areas for improvement within cybersecurity today.
FERF: What are your final thoughts?
La Huis: My hope is that feeling, that understanding, does not change as we start to move further and further away from this moment.
In fact, many organizations are going to continue to propel their digital transformation. They’re moving to the cloud, whatever it is that they have, that is a part of their future strategy. I would say that that is incredibly beneficial and maybe even critical to embed cybersecurity at the source of that decision-making and that strategy. So, I would encourage people as much as they’re focused on cybersecurity today, to increase that level of focus by including your cybersecurity professionals in making strategy and embedding them into the business. You’d be surprised at how much cybersecurity can be a competitive advantage for organizations when you’re including that mentality and that thought in your strategies.
Sign up to receive the latest cybersecurity insights on identifying threats, managing risk, and strengthening your organization’s security posture. Subscribe Now
This Q&A with Crowe Principal and Digital Security Services Leader Troy La Huis regarding information security was recorded for The Financial Executive Podcast. The conversation has been edited for brevity and clarity.